Jamf Nation Community

So does anyone there even care? I'm still getting this error!

external image link

And when I go to that URL:

external image link

Have you tried renewing the keys and tokens for you DEP account at deploy.apple.com ??

Okay So I don't get the error in Casper anymore but my iPads still give the NSURLErrorDomain

Thanks

I had that, and a few others (network error, corrupt profile) etc. This is how I solved it for every device:

1. Plug the device into a computer with itunes running.
2. Put the ipad into DFU mode (hold power for 10 seconds, then hold home button for 10 seconds ALSO, then let go of power WHILE STILL HOLDING HOME until iTunes says a device is in recovery mode)
3. Restore the device using iTunes. It'll take 15 minutes to install 7.1, then say there was an activation error (it can't activate DEP devices)
4. Once this all happens and it's fully restored and blank, try to enroll again on the iPad. It's like, the errors get 'stuck' in the iPad, and only a restore back to blank will let it work.

After restoring the devices, they all worked the 1st try.

Thanks for the reply, I tried that as well, Put the iPad into DFU mode, Restored it with iTunes, it took about 10 - 15 minutes to install. Afterwards it still gave me the NSURL error. :(

Okay so now after clicking restore in iTunes I don't get the same error message anymore. Now I see:

Profile Installation Failed
A network error has occurred.

Do I need certain firewall rules setup? I know I can log into JSS from the internet.

Thanks

Lenny

external image link

Hmmm. I was getting the EXACT same error after a while, and I did NOT change firewall or anything. I changed a few things, I'm trying to remember what all.

One thing I DEFINITELY changed was -- enabled the JSS URL for Enrollment Using Built-in SCEP and iPCU
Settings > Global Management > JSS URL -- set it to format http://jss.mycompany.com:9006/

Another, I installed the "Anchor Certificate" for my mobile-device prestage enrollment.
1. Settings > PKI > "Download CA Certificate"
2. Go into your prestage profile, click certificates, click edit, upload the cert you just downloaded.

Wanna try both of these changes, then restore the iPad again in iTunes and let me know what happens? I'll try to remember what else I changed too.

Tried both of those, Still same error. At first I ended up with the NSURL error again after a complete wipe, Then I clicked restore in iTunes and now I'm back to the profile / network error.

Fixed this issue by Completely starting over from scratch. Even wiping the server and reinstalling 2012R2.

When you fixed this did you have to restore your ipads from itunes? Or was reinstalling the server enough?

Is there a fix for this besides wiping out the server. We just started receiving these error messages on the server side today. We've already tried swapping the tokens and public keys, even adding a new PreStage Enrollment server yields the same error.

@jonathan.puebla][/url I've suddenly started receiving this error on 3 separate jss servers. One of them is a clean wipe. I called JAMF support, they had no idea. The tech said he can't even see the prestage setup tab so he can't help.

I know that if it's a MacBook prestage and you check the box to make the enrollment mandatory, AND/OR if you UNcheck "allow removal", it'll fail. Those features aren't possible so JAMF needs to remove the buttons in an update.

My pre-stage enrollment assignments are also failing as of today.

We are also getting the error Unable to contact "https://mdmenrollment.apple.com to get the list of devices" in JAMF DEP and also in prestage enrollment. We have renewed the keys and even went as far as deleting the server in both Casper and Apple's DEP but with no luck. We currently cannot see devices nor can we complete testing for prestage enrollment.

We had the "Unable to contact "https://mdmenrollment.apple.com" error yesterday morning in both PreProd and Prod environments (had been working w/out issue for weeks). I regenerated/reloaded tokens and all good so far. Running 9.31. Monitoring ...

Reloaded the token, but noticed it's still taking long to process. If I do more than 10 at a time, it fails.

I reloaded the Token many times, we are still working with JAMF in trying to figure out why we cannot talk to the MDM and why no devices show.

I'm not receiving the error now when I just did 50.

In my communication with JAMF Support it sounds like there's a defect where if you don't check off most of the boxes, it won't go through. Without these three boxes checked, our PreStage kept failing - https://www.dropbox.com/s/b8s6xj2w986yoyj/Screenshot%202014-06-04%2014.08.37.png

So they're looking into that.

We had other issues cause we changed our internal IP address of the server and never updated the token from Apple. I know its silly but just make sure you're certs and FQDN and ports are all good to go before trying anything else. Once I got all that good, we enrolled right away.

Our iPads aren't having any issues, as the JSS PreStage screen just displays the "Unable to contact mdmenrollment.apple.com..." error message. All the iPads we've uploaded via deploy.apple.com don't refresh and show up in the scope. Even when we try to create a new deployment server from settings, we get "Problem contact Apple services" when we upload the cert.

I am also getting the error message unable to contact mdmenrollment.apple.com, but only for the Mac PreStage Enrollments. With iOS devices I have no issues at all.

Per JAMF's recommendation I've tried generating a new token and uploading that to the JSS, and also deleted the PreStage Enrollment then created a new one but I still get the error for Macs. The strange thing is if you go to the Scope of the saved PreStage Enrollment it DOES see the Macs that have been enrolled in the DEP.

I was also told that while iOS devices automatically enroll using the DEP, Macs will only install the MDM profile and will need to be manually enrolled with the JSS. Can anybody confirm if that is correct? What would be the point of an MDM profile if the device is not enrolled with the JSS?

Per a conversation with JAMF, It has been identified that the issue is a defect in the current version of Casper.
2 scenarios
iOS: Make MDM Profile Mandatory' check box is selected
OSX: when "Make MDM Profile Mandatory" is selected but "Allow MDM Profile Removal" is deselected.

It is expected to be fixed in the next version but we don't know when that will be.
While I have personally experienced the issue with OSX pre stages, I haven't experienced it with iOS.

I am also having this issue with OS X devices.

@qsodji, I see the same thing as you stated with Mac OS X devices.

@qsodji We found those 2 defects, and 3 more causes as well. In addition to yours, there was:

1. Unidentified JAMF issue. We had 3 servers go down at once. They came back up randomly a few days later. Nothing changed on them, the JSS just suddenly couldn't talk to MDM.

2. Time on the JSS server gets out of sync. One of our servers had the time wrong (auto-time stopped refreshing), so Apple's servers were rejecting the connection. As soon as we fixed time, it fixed the issue.

3. Info on DEP-side changed. Our phone number in the DEP changed. We had the error until we generated a new token that contained up-to-date DEP info

Per a conversation with JAMF, It has been identified that the issue is a defect in the current version of Casper. 2 scenarios iOS: Make MDM Profile Mandatory' check box is selected OSX: when "Make MDM Profile Mandatory" is selected but "Allow MDM Profile Removal" is deselected.

I have neither of these selected on the OSX side and am still seeing the error.

We're experiencing the same issue. Our admin will try updating our DEP tokens and see if that fixes it.

This fixed my problem. https://jamfnation.jamfsoftware.com/featureRequest.html?id=2270

Turns out, our time server on our JSS was off by 9 minutes. Updated it via command line and it resolved it immediately. (face palm)

Everything went fine for me on the iOS side, but I get the same error for OSX (with "Make MDM Profile Mandatory" selected and "Allow MDM Profile Removal" deselected). We are cloud hosting the JSS; is there any way to update the time server? We're on Pacific time but all of our time stamps are in Eastern time. I'm not sure if that would make a difference or not.

We are running JSS 9.3 and started recieving this error when attempting to create a new Pre-Stage Enrollment for iOS devices:

Unable to contact https://mdmenrollment.apple.com about a new PreStage enrollment or changes to an existing PreStage enrollment

We have created iOS Pre-Stage enrollments in the past without any trouble.

We like to make the MDM profile mandatory and not allow it to be deleted, but I can confirm that in our case, unchecking "Make MDM Profile Mandatory" and checking "Allow MDM Profile Removal" fixes the above error. That is unfortunate considering that we like to make the MDM profile mandatory.

@dboeshart][/url

The behavior you described is certainly not intended, and is the result of a currently open defect.

For reference, the defect ID is D-007032.

The workaround to the defect is exactly what you've described in your post.

If you haven't already contacted your Technical Account Manager to open up a case on the issue, please do so when you get a chance so we can get the case attached to D-007032 for tracking purposes.

Thanks!

Amanda Wulff
JAMF Software Support

I had this issue when I was testing 9.40 back on 8/19. I contacted Support, and used the workaround of the non-Mandatory and Removable PreStage enrollment.

I could not find the details in my notes today, so I made this the last thing I tested again before going live. It works. Both my test box running 9.40, and after I upgraded live to 9.40.

Perhaps it turned out not to be an issue in the JSS code but in communicating with Apple?

I'm happy. :) :)

chris

I'm am seeing "Unable to contact https://mdmenrollment.apple.com" again in 9.51. Is the issue back?

@Nick_Gooch we saw this this morning on both our servers. I think it happened last week when we accepted the new DEP terms. We renewed the key and the token and all is good again.

Thank you! We had to accept the new terms and conditions but didn't need to renew the keys and tokens. All is working again.

+1 for accepting new terms. Log in to http://deploy.apple.com and accept the new terms and conditions. Then go back to the JSS. I tried editing a PreStage Enrollment and the error went away.

Thanks!
~Joe

We just started seeing this message two days ago. iPads are not enrolling successfully (getting an "Invalid Profile" error) and the JSS is showing "Unable to contact https://mdmenrollment.apple.com to get the list of devices" when I look at the DEP status and "The DEP service reported an error. (https://mdmenrollment.apple.com [403])
Unable to contact https://mdmenrollment.apple.com to add a device to a PreStage enrollment" when I go to the PreStage Enrollment page.

I did log into deploy.apple.com to make sure there wasn't new terms to accept (I remember having to do that back in Sept), but no new terms.

Any new ideas about this? Oh, and we are running JSS 9.6